Encryption Risk Mitigation

All global organizations are now responsible for preserving and maintaining the privacy of customers, employees, and other forms of business-critical data. Governments and regulators are also asking organizations to implement encryption best practices, with financial ramifications for data leaks. This subsequently led to a massive adoption of end-to-end encryption to ensure compliance and support the privacy of customer data in transit and at rest.

TLS 1.3 – the current standard that guarantees strongly encrypted communications – is now widely used by 62% of the top 1,000 websites. However, some aspects of applying strong encryption are poorly understood – and this is becoming a growing problem for security teams.

Data is put at risk when organizations have improper configuration of encryption protocols. However, in many cases, companies in highly regulated industries do not have a full view of what is or is not encrypted and whether they meet the standards set by regulators and governments. This is sometimes due to legacy infrastructure, but often it’s because no one “owns” the encryption within a company. Therefore, in the end, no one ends up being responsible.

Encrypted communications challenge many organizations, even those that enforce strict encryption standards at all levels. The sheer volume of encrypted traffic they face makes it difficult for security teams to gain visibility through decryption alone. Instead, we need to find new ways to analyze and understand this traffic because organizations cannot mitigate cyber risk in areas of their network that they cannot see.

Reduce the risk of encrypted traffic

We are seeing more and more attackers breaching an organization’s perimeter to hide malicious activity in legitimate encrypted network traffic. This introduces a substantial blind spot for security teams. In the first three quarters of 2021 alone, attacks on crypto channels increased by 314% over the previous year. These attacks aren’t state-of-the-art, but the lack of visibility into encrypted traffic gives intruders a free license to operate on private networks. So active decryption and inspection might be the answer. However, significant costs and complexity are created by trying to decrypt vast volumes of traffic, and modern encryption protocols use Perfect Forward Secrecy, which forces strong encryption between client and server.

Attackers now use encrypted communications to hide, breach organizations, and move laterally once a beachhead has been established. The challenge now is to spot suspicious encrypted communications within the company.

The only way organizations can hope to reduce this risk is if they can measure and understand encrypted communication over network traffic without relying on decryption. To achieve this, security teams must reorient their approach towards deeper analysis of encrypted communications, ensuring greater certainty about what is happening in encrypted traffic streams.

Encrypted Traffic Analysis (ETA) is an emerging method of identifying and detecting suspicious or anomalous behavior hidden in encrypted traffic without decryption. It uses a combination of artificial intelligence, machine learning, and behavioral analysis to analyze encrypted traffic without decryption. It ultimately improves the visibility of encrypted network traffic without impacting latency or privacy violation. It also understands network traffic behavior and provides near real-time alerts, allowing security teams to react immediately rather than after the fact. This greatly increases the speed at which suspicious activity can be identified in encrypted traffic, thereby reducing business risk.

The network visibility gained through the use of an ETA platform can also help organizations ensure that their encrypted domain is as secure as they want it to be. Many organizations will use static analysis to understand the certificate, but this approach does not provide the required critical information about what is actively negotiated and used for individual sessions.

Learn to measure and mitigate

There is no immediate solution to fully protect the confidentiality of our data. However, moving to using best practices and strong encryption will certainly play a crucial role in reducing the risk of corporate data breaches by employees and customers.

Visibility is a virtue in this new encrypted world, so organizations need to start implementing a “measure and mitigate” approach rather than a “detect and decrypt” approach. This will allow companies to understand what is happening at the moment and better detect activity on their encrypted networks.

Charles J. Kaplan